Sunday, March 06, 2016

One of the most fascinating types of cybercrime, in my opinion, is the Unlimited ATM attack. There have been several such attacks over the years, as we've written about in this blog previously, including:

In an "Unlimited" attack, hackers gain access to the internal systems of a bank or banking network and are either able to "reset" ATM withdrawal limits or eliminate the limits altogether for a card or group of cards. The magnetic stripe data from these cards are then widely distributed to "cash-out crews" who take responsibility for draining as many ATM cards as possible in their area, while each time a card is used, the hackers "undo" the transaction so that the card appears to have not been used.

33-year old Turkish citizen Ercan Findikoglu was charged with conducting three such Unlimited campaigns.

In February 2011, $10M was withdrawn using the pre-paid debit cards distributed by the American Red Cross to disaster relief victims. The cards were operated by JPMorgan Chase. On February 27 and 28, 2011 a total of around 20 pre-paid debit cards were used in approximately 15,000 transactions to withdraw $10M from ATM machines in 18 countries, including ATMs in the Eastern District of New York.

In Findikoglu's second Unlimited attack, pre-paid debit cards for the India-based company ECS, operated by National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates were used. On December 21 and 22, 2012, approximately 5,000 transactions in at least 20 countries resulted in withdrawal of $5M.

In the largest of his three documented Unlimited campaigns, enStage, a California-based payment processor, suffered an intrusion and had many cards stolen from its internal database. A group of pre-paid debit cards for Bank Muscat in Oman were selected as the target, and on February 19 and 20, 2013, 36,000 transactions in 24 countries were used to steal $40M.

ERCAN FINDIKOGLU, who called himself "Segate" or "Predator" online, was arrested in December of 2013 while visiting Germany.

On June 24, 2015, Ercan was ordered into US detention, having been extradited from Germany. The German courts in Frankfurt declared that Findikoglu was "the
most-wanted computer hacker in the world and may face more than 247
years in prison if convicted of all U.S. charges" (as quoted in
Bloomberg's story of 23JUN2015 - "Most-wanted cybercriminal extradited to U.S. from Germany."

As usual, the reality of sentencing varies dramatically from the overblown initial press release. On March 1, 2016, All parties appeared before the honorable Judge Kiyo A. Matsumoto for a Change of Plea Hearing. Sentencing is scheduled for July 12, 2016, but according to the BBC, prosecutors have agreed in a plea deal to limit his incarceration for "between 11 and 15 years." (See "US bank hacker faces long jail time").

Many of the "Cash-out crews" from these operations have been separately arrested and charged, while many others (the vast majority really) remain at large.